If you're still using Windows 7, you need to install this important, free 0-day patch
Windows 7 may be rather long in the tooth, but there are still millions of people using it globally. And just because the operating system has been around for years, that does not mean all of the bugs and security issues have been ironed out; far from it, in fact.
Earlier this month a security researcher discovered a local privilege escalation vulnerability in both Windows 7 and Windows Server 2008 R2. There's no indication that Microsoft will issue a patch even for organizations the paid for extended support, but the vast majority of Windows 7 users will be left vulnerable. Or at least that would be case if it wasn't for 0patch stepping up to the plate and making a micropatch available for free.
- Microsoft may have dropped Office 2010 but 0patch will still offer security patches
- Microsoft is holding back on Windows 10 updates in December
- Failing KB4586781 update installations are causing 0x8007000d errors and more for Windows 10 users
This is not the first time 0patch has stepped in to save the day, and last year the company "security adopted" Windows 7 and Windows Server 2008 R2 to help ensure that millions of remaining users were not left unprotected.
The discovery of this latest local privilege escalation vulnerability is just the latest example of the third-party company helping to secure computer and, importantly, this time around the micropatch is being made freely available to anyone who needs it rather than just to customers with paid-for 0patch subscriptions.
Clément wrote a very useful permissions-checking tool for Windows that find various misconfigurations in Windows that could allow a local attacker to elevate their privileges. On a typical Windows 7 and Server 2008 R2 machine, the tool found that all local users have write permissions on two registry keys:
These didn't immediately seem exploitable, but Clément did the legwork and found the Windows Performance Monitoring mechanism can be made to read from these keys - and eventually load the DLL provided by the local attacker. To most everyone's surprise, not as the local user, but as Local System.
In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it.
The video below shows how an attack can take advantage of the vulnerability:
0patch warns that its micropatch "breaks performance monitoring for the affected services" (namely Dnscache and RpcEptMapper, but say that this is "a trade-off we believe is beneficial to our users". The patch will be free for everyone until Microsoft issues a fix of its own -- assuming the company does indeed patch the vulnerability.
If you already have a 0patch plan, you will be able to download the micropatch immediately. If not, you can sign up for a free account here and use the platform to grab the patch.